GitHub Artifact Attestations(github.blog)
github.blog
GitHub Artifact Attestations
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
1 comments
I'm personally really excited for this feature: one of the hard lessons around any sort of digital signing is that users do not manage or store their keys correctly, and that poor UX/DX around signing tools (most notably GPG) leads to pervasive normalization of deviance around unsafe practices. Lifting digital signing to the identity later (i.e. by binding it to a digital identity that can be provably controlled, like a GitHub repository) sidesteps nearly all of these problems.